04 Mar 2020

Active Directory - Recover deleted objects quickly

You’re going to panic when something important is accidentally deleted. It’s scary. In the old days it was a little painful as well. Deleted objects had their links stripped (memberships) and the most appropriate recovery was via the last backup if you wanted things the way they really were. (Tombstone reanimation was a cool thing to say though).

Thankfully, its easy now if you have the recycle bin feature on. (You probably should, and do).

First, find the thing you broke:

get-adobject -filter 'objectclass -eq "user" -AND IsDeleted -eq $True -AND Name -like "*chad*"' -IncludeDeletedObjects -properties IsDeleted,LastKnownParent | Format-List Name,IsDeleted,LastKnownParent,DistinguishedName 

Here we are saying, find deleted user objects that have a name something like “chad”.

The reason we do this first is that we need the distinguished name for recovery; its not quite good enough to know the old name. Part of the delete operation is mangling the name. The mangled name is a filter that tells most AD tools not to show the thing because it is dead. (You can force tools like LDP to include the control though).

When it appears that your search has failed, think a little harder about what you are searching for. For example, you might stress when cduff (the users login name) fails. But keep in mind you’ve asked for Name to be like something in the example above. It’s a different attribute and the search wont find it. It sounds simple, but this is the most common thing that slows people down when the pressure is on.

Second, recover the thing:

Restore-ADObject -Identity "CN=chadduffey\0ADEL:549111ab-f6f0-4239a-8915-9231323eaaf8,CN=Deleted Objects,DC=DropbearSec,DC=com" -NewName "Chad Duffey" -TargetPath "CN=Users,DC=DropbearSec,DC=com"

Note the NewName attribute. That’s the display name, and there are other options here. Also the target: where this thing should be recovered to.

Thats it! Good luck :)



Chad Duffey

Security Engineer